I’m struggling to understand the zone-based firewall configuration in VyOS 1.4. Despite following the documentation and consulting ChatGPT, I can’t seem to get my basic use case to work: I want to deny all traffic except for port 22 (SSH). However, my current setup isn’t functioning as expected. What am I missing?
Here is the configuration I have tried:
set firewall ipv4 name TEST rule 1000 action 'accept'
set firewall ipv4 name TEST rule 1000 destination port '22'
set firewall ipv4 name TEST rule 1000 protocol 'tcp'
set firewall zone LOCAL from WAN firewall name 'TEST'
set firewall zone LOCAL local-zone
set firewall zone LOCAL default-action 'drop'
set firewall zone WAN interface 'eth0'
My goal is to harden the router, and I’ve tried various combinations of zone-based firewall settings, but nothing seems to work!
Can anyone point out what I might be doing wrong or provide guidance on the correct setup?
E.g., from my config (older version 1.4-rolling-202304120317, but you get the gist):
# define LOCAL zone
set firewall zone LOCAL from INTERNET firewall name 'INTERNET_TO_LOCAL'
set firewall zone LOCAL local-zone
set firewall zone LOCAL default-action 'drop'
# define INTERNET zone
set firewall zone INTERNET default-action 'drop'
set firewall zone INTERNET enable-default-log
set firewall zone INTERNET from LOCAL firewall name 'LOCAL_TO_ALL'
set firewall zone INTERNET interface 'eth0'
# locally originated traffic to all zones is okay
set firewall name LOCAL_TO_ALL default-action 'accept'
# traffic from internet to VyOS
set firewall name INTERNET_TO_LOCAL default-action 'drop'
set firewall name INTERNET_TO_LOCAL enable-default-log
set firewall name INTERNET_TO_LOCAL rule 11 action 'drop'
set firewall name INTERNET_TO_LOCAL rule 11 description 'Drop traffic with invalid state'
set firewall name INTERNET_TO_LOCAL rule 11 log 'disable'
set firewall name INTERNET_TO_LOCAL rule 11 state invalid 'enable'
set firewall name INTERNET_TO_LOCAL rule 15 action 'accept'
set firewall name INTERNET_TO_LOCAL rule 15 description 'Allow established/related traffic'
set firewall name INTERNET_TO_LOCAL rule 15 log 'disable'
set firewall name INTERNET_TO_LOCAL rule 15 protocol 'all'
set firewall name INTERNET_TO_LOCAL rule 15 state established 'enable'
set firewall name INTERNET_TO_LOCAL rule 15 state related 'enable'
set firewall name INTERNET_TO_LOCAL rule 112 action 'accept'
set firewall name INTERNET_TO_LOCAL rule 112 description 'Allow direct SSH connection from trusted IPs'
set firewall name INTERNET_TO_LOCAL rule 112 destination port '22'
set firewall name INTERNET_TO_LOCAL rule 112 log 'disable'
set firewall name INTERNET_TO_LOCAL rule 112 protocol 'tcp'
set firewall name INTERNET_TO_LOCAL rule 112 source group address-group 'ACL_TRUSTED_IPS'
# group
set firewall group address-group ACL_TRUSTED_IPS address '1.2.3.4'
set firewall group address-group ACL_TRUSTED_IPS address '5.6.7.8'
set firewall group address-group ACL_TRUSTED_IPS description 'Trusted IPs'
@fdervisi I like the manual way (more granularity, but also more work), but to expand on @n.fort his remark, this is what he means:
set firewall global-options state-policy established action accept
set firewall global-options state-policy related action accept
set firewall global-options state-policy invalid action drop
That way return traffic [=established/related] is automatically allowed (and invalid packets are dropped).
Is this statement still true with the use of firewall groups, specifically using interface groups? As in, can I build an equally manageable configuration using filters and interface groups as I could with a zone based configuration?
